SixLabors.ImageSharp.Drawing has potential vulnerability

[plade]

Describe the bug
SixLabors.ImageSharp.Drawing version needs to be upgraded to 2.0.0 or later.
Previous versions use SixLabors.ImageSharp with a potential vulnerability that was fixed in PR SixLabors/ImageSharp#2524

[plade]

It looks like SixLabors.ImageSharp.Drawing is not netstandard anymore, so this will need a bit more work than just upgrading the package.

[danielpalme]

I think that's a minor issue.

ReportGenerator uses ImageSharp to generate images/badges. It does not process arbitrary images from outside. So it's not possible to exploit the vulnerability in this context.

[plade]

Yes I believe it's quite a non-issue.

Would you mind if I tried to contribute and fix it as a small project for myself?

[danielpalme]

Sure. Maybe there a way to replace ImageSharp completely, as it's only used for some simple rendering.

[danielpalme]

I think I will remove ImageSharp completely.
It's only used for:

• some PNG badges. They already have an SVG alternative.
• A PNG chart. This can be also replaced by an SVG image.

[danielpalme]

Made the necessary changes in ae8c4fc.

• Report type PngChart is now replaced with SvgChart.
• Badges in PNG format are no longer generated
• Fallback PNG history charts (only visible in HTML report, if JavaScript is disabled) are also in SVG format (and look much better now)